Saturday, June 15, 2013

More on metadata

Colin Freeze has an article in today's Globe and Mail explaining what is known so far about CSE collection and use of metadata and describing some of the concerns expressed a few years ago by CSE's oversight commissioner at the time, Charles Gonthier ("How Canada's shadowy metadata-gathering program went awry," Globe and Mail, 15 June 2013):

"Some of CSEC's metadata activities raise issues that make us question whether CSEC is always in compliance with the limits," reads [a 2008] report from the office of then-CSEC watchdog Charles Gonthier, a former Supreme Court justice. It flags questionable activities and the possibility that Canadians' private information had been compromised. ...

Released only in part under access-to-information legislation, the judge's report is so heavily redacted that reading it is a real exercise in interpretation. He had concerns about overbroad metadata definitions and lax record keeping. But his real gripe was how the program contemplated handing over "foreign" intelligence to domestic agencies: Could this CSEC program really be said to be not "directed at" Canadians?

To Mr. Gonthier, it appeared that CSIS and the RCMP might get to hear things about Canadians without obtaining the usual warrants. He asked whether the fruits of a "foreign-intelligence collection" program ought to be used "in the context of a criminal or national security investigation of a Canadian in Canada."

This raises some very interesting questions.

At a guess, Gonthier's concern was that CSE was using metadata to analyze the contacts of some of its foreign intelligence targets outside Canada, determining the identities of the people they were communicating with and whom in turn those individuals were communicating with, hoping to uncover patterns of suspicious activity. Some of the resulting communications maps would ultimately extend back into Canada, and in those cases CSE may have been passing data about those contacts to CSIS and/or the RCMP to follow up, thus providing information about Canadians in Canada that normally these agencies would be able to obtain only with a warrant.

Such analyses might end up pointing the finger of suspicion at a large number of completely innocent people, but they might also provide clues vital to unraveling a terrorist plot in Canada.

Such a program might also face serious questions about its lawfulness, however. If it were consistently producing as one of its outputs lists of suspect individuals in Canada, could it really be said to be a "foreign intelligence" program not "directed at" Canadians? Would the program be lawful if one of its purposes (and not just occasional byproducts) was to provide a steady stream of information about Canadians to domestic security or law enforcement agencies that otherwise would need a warrant to obtain such information? Would it not be better to recast that part of the program as support to those domestic agencies and ground its legality in the laws governing the operations of those agencies (i.e., make the program part of CSE's "Mandate C" support to law enforcement and security agencies)?

There may be good reasons to doubt that such a program would in fact be legal under those laws. But if that's the case, does branding it as something different make it legal? If it is clear that the security benefits of the program really do outweigh its privacy costs, why not amend the relevant laws to ensure that it is on a firm legal footing?

Whatever the actual basis of Gonthier's concerns was, no changes have been made to the relevant legislation. As Freeze's article reports, it appears instead that some activities may have been halted in 2007 and then restarted under new rules in October 2008. In November 2011 a somewhat rewritten Ministerial Directive concerning the collection and use of metadata was signed.

The nature of the changes made on those occasions has not been revealed, but it appears that the current CSE Commissioner is somewhat less concerned about CSE's metadata use. In his recent public statement, Robert Décary commented that "I have reviewed CSEC metadata activities and have found them to be in compliance with the law and to be subject to comprehensive and satisfactory measures to protect the privacy of Canadians. However, given that these activities may impact the privacy of Canadians, I had already approved, prior to recent events, the start of a specific review relating to these activities."

Décary's statement also raised a new issue about metadata, however, that so far none of the media seem to have picked up on. The Commissioner reported that CSE uses metadata "only for purposes of providing intelligence on foreign entities located outside Canada and to protect information infrastructures of importance to the government [emphasis added]." The latter purpose must surely require domestic as well as foreign metadata. Is CSE therefore collecting and using domestic metadata as part of its "Mandate B" activities? What else could the CSE Commissioner have meant?